Dallas, Texas-based firm EmCare Inc disclosed on Saturday that a number of employees' email accounts had been accessed, potentially exposing personal information of almost 60,000 people, including 31,000 patients.

EmCare, part of Envision Healthcare, provides outsourced physician services to hospitals around the U.S. It has more than 700 practices at locations ranging from major hospitals and health systems to rural hospitals and ambulatory care centers.

In an incident notice statement published on its website on Saturday, April 20, 2019, EmCare said that it had discovered on February 19 that a third-party had gained unauthorized access to certain employees' email accounts. It said that these accounts "contained some patients', employees' and contractors' personal information, including name, date of birth or age, and for some patients, clinical information. In addition, in some instances, Social Security and driverís license numbers were impacted."

The statement does not say how many accounts were accessed, nor how many people's personal information was contained within them. It later told Bloomberg that it may be almost 60,000 people, and that 31,000 were patients. There is no indication of how the unauthorized access was achieved.

The statement attempts to minimize the impact of the breach. EmCare has no evidence that any personal information has been misused, or that anyone will attempt to misuse the information. It is not aware of any person who has been impacted by fraud or identity theft because of the incident; and doesn't even know if any personal information was actually obtained by the intruder.

However, if the company cannot say that data was taken, it equally cannot say that it wasn't taken. And similarly, while no victims of fraud are currently known does not mean that fraudsters will not attempt to misuse any stolen data in the future.

What is perhaps a little surprising is that although the incident was discovered onFebruary 19, it wasn't until April 19 that the company began to send "written notification to all potentially impacted individuals for whom it has contact information." For those employees and patients whose social security number or driving license number were impacted, EmCare has arranged a credit monitoring account with Experian's IdentityWorks.

Equally surprising, and a little disturbing, is that EmCare's policy allows its employees to keep patients' 'clinical information' unencrypted within their email accounts.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.